[00:00.000 --> 00:03.960]  So I'm glad to be able to join you all today. My name is Steve Newell. I'm from
[00:03.960 --> 00:06.400]  the American Association for the Advancement of Science,
[00:06.400 --> 00:09.760]  which is the world's largest multidisciplinary scientific society,
[00:09.760 --> 00:13.180]  where I'm project director at the Center for Scientific Evidence and
[00:13.180 --> 00:16.140]  Public Issues, usually referred to as the EPI Center.
[00:16.140 --> 00:19.960]  The EPI Center works to provide accurate, concise, and actionable scientific
[00:19.960 --> 00:23.300]  information to everyone from policymakers to parents to help ensure
[00:23.300 --> 00:26.540]  that science is a part of the decision-making process.
[00:26.640 --> 00:29.800]  Election security has been one of our major initiatives since founding of the
[00:29.800 --> 00:32.000]  Center. I'm sure many of you are already
[00:32.000 --> 00:33.780]  familiar with her, but Susan Greenhalgh is
[00:33.780 --> 00:37.460]  currently a senior advisor on election security at Free Speech for People.
[00:37.520 --> 00:40.160]  She's well known in the election security space for tireless work
[00:40.160 --> 00:44.840]  advocating for secure election protocols, paper ballot voting systems, and post-
[00:44.840 --> 00:48.140]  election audits. Susan and I are here today to talk about
[00:48.140 --> 00:51.840]  leveraging electronic ballot options safely and securely during the COVID-19
[00:51.840 --> 00:54.580]  pandemic. This presentation is based on a white
[00:54.580 --> 00:58.060]  paper with additional detail on these issues that will also be available.
[00:58.060 --> 01:01.960]  As I'm sure all of you here are well aware, COVID has scrambled existing
[01:01.960 --> 01:05.920]  policies and procedures in every area of the country, and election security is, of
[01:05.920 --> 01:08.740]  course, no exception. COVID has provided an
[01:08.740 --> 01:11.580]  additional challenge to ensuring election security and ballot access
[01:11.580 --> 01:15.760]  during this critical time. Currently, five states vote primarily by
[01:15.760 --> 01:19.140]  mail. However, during the past few months, we've seen states across the country
[01:19.140 --> 01:21.400]  working to scale up their vote-by-mail options
[01:21.400 --> 01:25.060]  and capabilities as we head towards the November elections.
[01:25.060 --> 01:28.000]  These steps have taken a variety of different forms
[01:28.000 --> 01:32.680]  between states. For example, an emergency executive order in Delaware includes a
[01:32.680 --> 01:35.000]  measure that allows voters concerned about COVID
[01:35.000 --> 01:39.280]  to qualify as sick or physically disabled, allowing them to vote absentee.
[01:39.280 --> 01:42.800]  Just to make sure the evidence is known, researchers have found
[01:42.800 --> 01:46.340]  that universal vote-by-mail has no impact on partisan
[01:46.340 --> 01:51.480]  turnout or vote share, so vote-by-mail is really a non-partisan solution to ballot
[01:51.480 --> 01:54.800]  access concerns. Work by Amber McReynolds and Charles
[01:54.800 --> 02:00.660]  Stewart highlighted 204 cases of absentee ballot-related fraud in a
[02:00.660 --> 02:04.700]  quarter of a billion votes cast over the past two decades.
[02:04.700 --> 02:08.620]  As is the case across the election space, fraud is exceedingly rare with
[02:08.620 --> 02:12.580]  vote-by-mail. Alongside this expansion of vote-by-mail,
[02:12.580 --> 02:15.520]  states are examining various solutions for remote voting,
[02:15.520 --> 02:19.000]  such as remote accessible ballot marking, which allows voters to receive
[02:19.000 --> 02:22.400]  and, if necessary, mark their ballots electronically before printing the
[02:22.400 --> 02:25.060]  ballot and returning it to their local office.
[02:25.060 --> 02:29.720]  UOCAVA was expanded significantly in 2009 when Congress passed the MOVE Act
[02:29.720 --> 02:33.240]  to provide greater protections for service members, their families, and
[02:33.240 --> 02:37.180]  other overseas citizens. Among other provisions, the MOVE Act
[02:37.180 --> 02:41.000]  requires states to transmit validly requested absentee ballots to
[02:41.000 --> 02:44.500]  UOCAVA voters no later than 45 days before a federal
[02:44.500 --> 02:47.280]  election. However, remote accessible ballot marking
[02:47.280 --> 02:49.860]  is also essential for individuals with disabilities
[02:49.860 --> 02:53.960]  or those who encounter barriers to marking a paper ballot by hand.
[02:53.960 --> 02:57.600]  We know that there is still a disability gap in voting, with roughly five percent
[02:57.600 --> 03:00.320]  lower turnout in the 2018 midterm election,
[03:00.320 --> 03:05.220]  equivalent to roughly 2.4 million votes from individuals with disabilities,
[03:05.220 --> 03:08.960]  according to research by the Rutgers School of Management and Labor Relations.
[03:08.960 --> 03:12.520]  So we know that there's an ongoing equity gap in ballot access, which is
[03:12.520 --> 03:15.720]  essential to address. Further, electronic ballot delivery can
[03:15.720 --> 03:18.540]  help fill in the gaps for when traditional mail-in voting is either not
[03:18.540 --> 03:21.660]  possible or appropriate. However, it's important to remember that
[03:21.660 --> 03:25.180]  electronic return of marked ballots is an incredibly risky endeavor.
[03:25.180 --> 03:28.740]  The National Academy has warned against it in its 2018 Systematic Review of
[03:28.740 --> 03:32.420]  Voting Security. Also in 2018, our report Susan co-authored
[03:32.420 --> 03:36.020]  with the Common Cause Education Fund, the R Street Institute, and the U.S.
[03:36.020 --> 03:39.200]  Technology Policy Committee of the Association for Computing
[03:39.200 --> 03:42.920]  Machinery provided additional warnings against internet voting.
[03:42.920 --> 03:46.660]  In April, from the EPI Center, we sent an open letter to state voting officials
[03:46.660 --> 03:51.020]  signed by more than 70 internet pioneers, scientists, security
[03:51.020 --> 03:54.280]  experts, and voting groups urging those officials not to allow
[03:54.280 --> 03:57.680]  electronic return of marked ballots due to the scientific evidence
[03:57.680 --> 04:00.500]  demonstrating these votes cannot be secured.
[04:00.500 --> 04:04.460]  Importantly, there is no way to conduct a valid audit of the results due to the
[04:04.460 --> 04:07.220]  lack of meaningful voter-verified paper records
[04:07.220 --> 04:10.060]  for electronically returned marked ballots.
[04:10.100 --> 04:13.660]  In May, the Department of Homeland Security, the Federal Bureau of
[04:13.660 --> 04:16.820]  Investigation, the National Institute of Standards and Technology,
[04:16.820 --> 04:20.200]  and the U.S. Election Assistance Commission shared similar guidance
[04:20.200 --> 04:24.200]  echoing these concerns. Even with the tools and applications available,
[04:24.200 --> 04:27.860]  this activity is still high risk. To be clear to the state,
[04:27.860 --> 04:31.600]  there's still no known technology that can secure electronic ballot return.
[04:31.600 --> 04:34.720]  So with that background, this brings us to remote ballot marking.
[04:34.720 --> 04:37.900]  Specifically, what factors should election officials keep in mind about
[04:37.900 --> 04:40.520]  these systems, particularly in terms of safeguarding
[04:40.520 --> 04:43.600]  voters' privacy and security? At this point, I'll go ahead and hand
[04:43.600 --> 04:46.460]  things off to Susan to tell you a little more about these systems.
[04:47.760 --> 04:50.420]  Thank you, Steve. And I just have to say
[04:51.700 --> 04:55.880]  it's great to be presenting here at DEFCON,
[04:55.880 --> 04:59.320]  but it's certainly bittersweet to not be able to be
[04:59.320 --> 05:03.120]  in Las Vegas with everybody and at the Voting Village
[05:03.120 --> 05:06.740]  and seeing all the great work firsthand. So I'm
[05:06.740 --> 05:10.200]  really pleased to be able to present what Steve and I have worked on together
[05:10.200 --> 05:13.960]  with this paper and the findings, even though
[05:13.960 --> 05:17.680]  it's unfortunate that we're not actually there in person. And I just
[05:17.680 --> 05:21.280]  want to preface this by saying that this paper is really geared towards all the
[05:21.280 --> 05:24.360]  election officials that are participating more and more in
[05:24.360 --> 05:27.880]  DEFCON. We're trying to highlight some of the
[05:27.880 --> 05:30.440]  known security and privacy risks of these systems
[05:30.980 --> 05:36.200]  and how election officials can become aware of them and then make choices
[05:36.200 --> 05:41.800]  to mitigate those risks. So back into the
[05:43.720 --> 05:48.040]  presentation, as we're seeing these states expand their vote-by-mail options,
[05:48.040 --> 05:52.920]  it's really important that there also be an option for disabled voters to mark a
[05:53.840 --> 05:56.640]  ballot privately and independently if they're
[05:56.640 --> 05:59.520]  choosing vote-by-mail and that they have assistive
[05:59.520 --> 06:03.800]  technology if they need it. So what we're seeing is that there are
[06:03.800 --> 06:06.020]  several systems available in the commercial market
[06:06.020 --> 06:10.000]  which will deliver a blank ballot to the voter online and then allow the
[06:10.000 --> 06:12.220]  voter to mark that ballot using the
[06:12.220 --> 06:15.740]  assistive tech that they're familiar with on their own device,
[06:15.740 --> 06:20.140]  print the ballot for the voter to return either by mail or a dropbox. So we're not
[06:20.140 --> 06:23.500]  talking about online voting here. We're talking about
[06:23.680 --> 06:26.480]  a way to assistively mark that paper ballot.
[06:26.800 --> 06:30.220]  But what we're seeing is that there's
[06:30.220 --> 06:34.340]  architecture, even though you might assume that it
[06:34.340 --> 06:38.520]  doesn't do this, it actually sends the vote choices back over the internet.
[06:38.540 --> 06:42.480]  The devil is in the details and the way these systems are designed and created.
[06:42.480 --> 06:46.240]  Many of the commercially available systems keep all of the information
[06:46.860 --> 06:51.200]  resident on a remote server so that each time the voter makes the selections
[06:51.200 --> 06:54.820]  on their own computer, that vote choice is transmitted
[06:55.500 --> 06:58.800]  back to the remote server. Now that remote server has
[06:58.800 --> 07:03.620]  already identified who the voter is because they've had to authenticate the
[07:03.620 --> 07:06.900]  voter when the ballot was pulled up and given
[07:06.900 --> 07:11.820]  to the voter. So this creates a set of records on
[07:11.820 --> 07:15.040]  that remote server of both the voter's identity and their vote selections,
[07:15.680 --> 07:22.060]  which now can enable all sorts of secrecy and privacy vulnerabilities
[07:22.060 --> 07:25.820]  or compromises if anyone gains access to that
[07:25.820 --> 07:28.700]  server, either the state, the vendor, or somebody who
[07:28.700 --> 07:33.880]  compromises it remotely. Furthermore, each time those choices are going back and
[07:33.880 --> 07:37.940]  forth over the internet, they're vulnerable to eavesdropping and spyware.
[07:38.600 --> 07:43.800]  So it's really not advisable from a security and privacy
[07:43.800 --> 07:48.500]  standpoint. And even if that remote ballot
[07:48.500 --> 07:52.420]  marking system isn't designed to send these vote
[07:52.420 --> 07:56.620]  choices back over the internet, the ballot secrecy and the vote choice
[07:56.620 --> 07:59.740]  secrecy can still be compromised when marked online.
[07:59.740 --> 08:03.340]  So we really want to minimize the number of voters that are marking their ballots
[08:03.340 --> 08:07.380]  online to minimize these security risks, because
[08:07.380 --> 08:09.180]  those vote selections are going to be recorded
[08:09.180 --> 08:13.520]  temporarily in memory on the
[08:13.520 --> 08:16.760]  on the voter's device as well as their printer.
[08:17.140 --> 08:21.040]  And for these reasons, we want to highlight that issue and encourage
[08:21.040 --> 08:27.040]  election officials to speak to vendors and require that the systems zero out
[08:27.040 --> 08:29.400]  the vote data upon closing the application
[08:30.080 --> 08:33.840]  when they're making these systems.
[08:33.840 --> 08:36.840]  Furthermore, voters should be encouraged to mark their ballots
[08:36.840 --> 08:41.800]  on their own devices, if at all possible, and to not use their work computers or
[08:41.800 --> 08:46.820]  any publicly available computers, which could also invite other
[08:46.820 --> 08:50.600]  opportunities for secrecy violations.
[08:52.320 --> 08:55.500]  Furthermore, it's also always important to know that there's a risk
[08:55.500 --> 08:59.120]  that the ballot marking system might not record the votes correctly.
[08:59.180 --> 09:02.480]  There can be bugs, there can be malware. For these reasons, voters
[09:02.480 --> 09:07.480]  should always be instructed that if they can, to mark the ballot by hand
[09:07.480 --> 09:10.780]  to mitigate these privacy and integrity risks.
[09:11.620 --> 09:16.700]  And if they need to use the accessible technology and
[09:16.700 --> 09:20.920]  mark the ballot by their device, that they should
[09:20.920 --> 09:24.560]  always be encouraged to check the vote choices carefully.
[09:24.680 --> 09:28.800]  And election officials are encouraged to disable the barcode feature
[09:29.480 --> 09:33.540]  on the ballot marking system and remake the ballots directly from the voter
[09:33.540 --> 09:36.680]  selection, so that you don't have any issues that
[09:36.680 --> 09:41.480]  maybe the barcode is reporting vote choices incorrectly.
[09:42.260 --> 09:45.840]  This issue has been looked at years ago by
[09:45.840 --> 09:48.040]  National Institute of Standards and Technology
[09:49.100 --> 09:52.600]  and the Center for Civic Design, which does a lot of work with
[09:53.380 --> 09:56.700]  voters with disabilities and providing accessibility.
[09:56.780 --> 10:00.040]  Both have provided clear recommendations that
[10:00.040 --> 10:04.200]  any remote accessible ballot marking system should not transmit the vote
[10:04.200 --> 10:07.380]  choices back over the internet to a remote server,
[10:07.380 --> 10:11.320]  and they should be designed so that all the vote data remains local to the
[10:11.320 --> 10:16.460]  voter's computer in a stateless state, I guess.
[10:16.720 --> 10:20.320]  It's important to note that the accessibility
[10:20.920 --> 10:24.820]  of these remote accessible ballot marking devices isn't not impacted
[10:25.370 --> 10:28.800]  by the configuration in either way, meaning you're not giving up
[10:28.800 --> 10:35.360]  any accessibility to provide a more secure and private remote accessible
[10:35.360 --> 10:38.900]  ballot marking system that keeps all the information local to the voter's
[10:38.900 --> 10:41.800]  computer. So there's no advantage to introducing
[10:41.800 --> 10:46.920]  these security and privacy risks. It's only upside to
[10:46.920 --> 10:50.920]  to look for these devices that make these,
[10:50.920 --> 10:55.420]  that are adhere to this design best practice.
[10:56.080 --> 10:59.320]  So California is a good state to look at
[10:59.320 --> 11:02.320]  that looked at these issues and put the policy
[11:02.320 --> 11:06.760]  into practice. In 2012, when California was
[11:06.760 --> 11:11.180]  moving to largely a vote-by-mail state, it wanted to make sure that there was
[11:11.180 --> 11:14.520]  accessible remote ballot marking options, looked at
[11:14.520 --> 11:19.180]  these recommendations from NIST and others, and passed a law that
[11:19.180 --> 11:22.340]  prohibited the use of any remote ballot marking
[11:22.340 --> 11:25.600]  device that or system that transmitted the vote
[11:25.600 --> 11:31.140]  choices over the internet. And as a result, they have certified
[11:31.140 --> 11:33.940]  three systems that are currently commercially available
[11:34.800 --> 11:38.740]  and that meet this design best practice. So there are systems out there right now
[11:38.740 --> 11:43.340]  today that can be adopted and will protect
[11:43.340 --> 11:49.560]  the voter's secrecy. So just to give a quick summary of what
[11:49.560 --> 11:52.500]  we've just covered, states should be
[11:53.480 --> 11:57.520]  encouraged to adopt offline accessible remote ballot marking systems
[11:57.520 --> 12:01.620]  for all voters as they expand, or for voters that need it,
[12:01.620 --> 12:04.720]  that they need it when expanding vote-by-mail.
[12:04.720 --> 12:08.260]  The voters should also be instructed to carefully check
[12:08.260 --> 12:14.240]  printed ballots for errors. States should be required, states should
[12:14.240 --> 12:18.700]  require the vendors to offer systems that delete vote
[12:18.700 --> 12:22.740]  choices from all the memory when the application is closed.
[12:22.780 --> 12:25.960]  Voters should be encouraged to avoid using
[12:25.960 --> 12:29.920]  networked or public devices if possible, and
[12:29.920 --> 12:35.040]  election officials should consider disabling the barcode feature
[12:35.420 --> 12:40.120]  and remaking ballots directly from the voter's choices.
[12:40.760 --> 12:43.860]  So now we're going to look at the risks of online blank
[12:43.860 --> 12:47.920]  ballot delivery, and I'm turning it back over to Steve.
[12:49.000 --> 12:53.760]  Thanks, Susan. So as Susan mentioned, how do we minimize risk with online blank
[12:53.760 --> 12:56.440]  ballot delivery? The National Academy's report in 2018
[12:56.440 --> 13:00.360]  described online blank ballot delivery as acceptable,
[13:00.360 --> 13:04.380]  and the recent DHS guidance described it as low risk. However, it's important to
[13:04.380 --> 13:08.680]  remember that low risk is not no risk. So the risk with blank ballot delivery
[13:08.680 --> 13:12.220]  systems are those that would impact the integrity and or availability of the
[13:12.220 --> 13:15.640]  ballots, such as altering or removing vote choices.
[13:15.700 --> 13:19.520]  Some electronic ballot delivery systems perform functions to verify a voter's
[13:19.520 --> 13:22.260]  identity before presenting them their assigned ballot.
[13:22.260 --> 13:25.680]  The identification process can use personal identifying information, such
[13:25.680 --> 13:29.820]  as name and driver's license number, or biometrics. When this
[13:29.820 --> 13:32.180]  verification is improperly configured, remote
[13:32.180 --> 13:35.020]  electronic ballot delivery systems can present
[13:35.660 --> 13:40.560]  additional privacy risk, such as the loss or theft of the voter's personal and or
[13:40.560 --> 13:44.240]  biometric identity information. Voters who have had their information
[13:44.240 --> 13:47.700]  stolen or harvested previously could have their ballots at risk,
[13:47.700 --> 13:52.000]  especially automated attacks. Speed and efficiency of automated attacks can
[13:52.000 --> 13:54.760]  increase the impact of these attacks considerably.
[13:54.920 --> 13:58.620]  Further, many ballot scanners cannot read ballots printed from voters' home
[13:58.620 --> 14:01.860]  printers because the paper weight and size are incompatible.
[14:01.860 --> 14:05.640]  So the voter selections must be hand copied onto traditional paper
[14:05.640 --> 14:08.200]  ballot stock that can be read by those scanners.
[14:08.200 --> 14:11.200]  This can be a time and resource consuming process that burdens
[14:11.200 --> 14:15.520]  already limited election staff and volunteers. The copying process
[14:15.520 --> 14:19.660]  also presents a potential source of inaccuracy, as even an incredibly low
[14:19.660 --> 14:23.620]  copying error rate can impact elections if the volume of copied ballots is
[14:23.620 --> 14:26.760]  sufficiently high. Importantly, the original returned
[14:26.760 --> 14:29.240]  ballots should be kept for auditing purposes.
[14:29.380 --> 14:32.440]  Finally, this may also create a health risk for election workers who are
[14:32.440 --> 14:35.900]  typically directed to sit in pairs in order to prevent manipulation or
[14:35.900 --> 14:39.480]  fraud. Without transparent oversight or strict security protocols,
[14:39.480 --> 14:42.900]  this process introduces opportunities for error or tampering.
[14:43.040 --> 14:45.920]  So here I'll go ahead and turn things back over to Susan to go through some of
[14:45.920 --> 14:49.720]  the best practices and recommendations to keep in mind as officials prepare for
[14:49.720 --> 14:54.580]  the upcoming election. Thanks, Steve. So we're just going to
[14:54.580 --> 14:59.600]  summarize the takeaways. We urge election
[14:59.600 --> 15:03.200]  officials to follow the best practices of NIST and to
[15:03.200 --> 15:07.080]  only adopt and certify remote accessible ballot marking systems
[15:07.080 --> 15:12.320]  that confine the vote selections data to the voters' devices and remove the
[15:12.320 --> 15:16.340]  choices from all memory when the application is
[15:16.340 --> 15:20.700]  closed. To limit the use of electronic ballot
[15:20.700 --> 15:25.380]  delivery only to the voters that can't get a
[15:25.380 --> 15:30.300]  mailed pre-printed ballot, so that you're limiting the risks of that
[15:30.300 --> 15:32.800]  online blank ballot delivery that Steve just
[15:32.800 --> 15:37.600]  talked about, or limit it to voters that
[15:37.600 --> 15:44.540]  may need an electronic ballot to mark the ballot with a remote accessible
[15:45.100 --> 15:50.440]  system. To urge election officials to make printing the blank ballot the
[15:51.240 --> 15:57.240]  default action of any ballot downloaded to encourage the voters to fill out the
[15:57.240 --> 16:00.300]  blank ballot with a pen before mailing it.
[16:01.320 --> 16:07.080]  We also encourage voters who must use a accessible
[16:08.380 --> 16:13.140]  remote ballot marking system to use their own personal devices,
[16:13.140 --> 16:16.880]  networks, and printers, if at all possible,
[16:16.880 --> 16:21.100]  rather than others, infrastructure, unless they may have some
[16:21.880 --> 16:25.860]  privacy concerns at home. Recommend that no voter should
[16:25.860 --> 16:29.320]  ever enter vote choices into a device that's connected to the internet, and
[16:29.320 --> 16:32.720]  maybe we skipped over that, but it's ideal that the device should be
[16:32.720 --> 16:36.260]  disconnected from the internet once the ballot is downloaded when the marking
[16:36.260 --> 16:39.360]  process is being executed.
[16:40.440 --> 16:43.940]  Instruct voters who do not mark their ballot with a computer or device to
[16:43.940 --> 16:47.040]  carefully... I'm sorry, who do mark their ballot with a
[16:47.040 --> 16:50.700]  computer device to carefully check and verify that their vote choices were
[16:50.700 --> 16:51.860]  recorded correctly.
[16:53.560 --> 16:57.460]  To election officials, we also encourage that they...
[16:57.460 --> 17:01.920]  them to disable the barcode feature and to remake the ballots directly from the
[17:01.920 --> 17:05.920]  voter selections, retain that original ballot, and use the
[17:05.920 --> 17:10.140]  human readable part for all audits and recounts so that you
[17:10.140 --> 17:12.360]  have the original record of voter intent
[17:12.790 --> 17:18.720]  when doing an auditor recount, not from the remade ballot. And consider
[17:19.500 --> 17:23.060]  electronically delivered ballots to be at higher risk for unauthorized
[17:23.060 --> 17:28.220]  duplication, and consider authentication of the
[17:28.220 --> 17:33.780]  voter's identity and eligibility when looking at those ballots. So I think
[17:33.780 --> 17:39.400]  we can wrap up with that. Any final words, Steve?
[17:39.860 --> 17:43.980]  No, I think you've covered it all, Susan. Great, thank you all so much.
[17:43.980 --> 17:47.860]  It was great to be able to present this information.
[17:48.440 --> 17:55.180]  The paper is on both of our websites if you're looking to to get more
[17:55.180 --> 17:59.320]  information. And thank you very much. Thank you all.
[17:59.320 --> 18:01.160]  Hope to see you in Vegas next year.
